[RPZ] RPZ seen at MAAWG
vixie at isc.org
Sat Oct 9 19:59:55 UTC 2010
> Date: Fri, 8 Oct 2010 12:16:41 -0700
> From: Jeff Chan <jeffc at surbl.org>
> On Wednesday, October 6, 2010, 7:54:31 AM, Eric Ziegast wrote:
> > #### ISC does not publish any RPZ or give perception of publishing
that may change. i'm thinking of creating an incident-level rpz that lists
only things like licat and conficker names, as a technology demonstration.
> > #### SuperWildcard
> > The limitation of wildcard records could be an issue. I one lists:
> > mecom.ae.@ IN A .
> > *.mecom.ae.@ IN A .
> > How does one take care of www.qatar.mecom.ae without specifically
> > listing *.qatar.mecom.ae in the zone? Do we need a Super Wildcard
> > capability in zone file specifications that matches all sub-domains?
> > not just the current level?
sorry, hadn't seen this before. it is indeed the "superwild" you describe,
since it's just dns. so just as *.vix.com would match www.lah1.vix.com in
a normal dns zone file, so *.mecom.ae matches www.qatar.mecom.ae in an RPZ.
> Actually a super wildcard that included the parent domain would be
> extremely handy. If it existed, then the example above could be
> collapsed to:
> *.mecom.ae.@ IN A .
> which would halve the size of the zone file. Vix indirectly
> commented on this privately.
yes i did. what i finally decided was, most of the time bad domains are
specific, and we don't need to be adding the * pattern, since the bad guys
are not going to evade a foobar.info blockade by using baz.foobar.info. if
that changes then we can adapt easily. for now it's a lot of extra patterns
and a lot of more or less wasted ram to include the * patterns we all add.
> I'd bet that Nominum already has a similar functionality, so I'd guess it
> would not be too hard for them to add RPZ support. In fact, I'd
> recommend they do.
More information about the DNSfirewalls